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Abstract 


After getting the vulnerability list of the victim, the attacker make a plan for the possible attack. 
With that list attacker exploit the victim’s network or system and compromise his system 
security and information. But if Victim removes all the vulnerabilities from his system, the 
attacker would not be able to exploit the victim’s network. By applying VAPT technique user 
can find out the vulnerabilities those can result in various severe attacks like DDoS attack, etc. 
After finding out the vulnerabilities user can apply countermeasures against them. To make the 
system vulnerability free, Administrator should find out vulnerabilities in his own network. The 
administrator should apply complete vulnerability and penetration testing cycle on the 
system/network. When the administrator would get the list of available vulnerability in his 
system, he should remove those vulnerabilities. To remove the vulnerabilities, the administrator 
should apply the necessary patches, updates, install necessary software and other requisite. In 
this way administrator would remove all vulnerabilities from the network. In this paper we 
proved vulnerability assessment and penetration testing as a cyber attack prevention technology, 
how we can provide active cyber attack prevention using vulnerability assessment and 
penetration testing. We described complete life cycle of vulnerability assessment and penetration 
testing on systems or networks and proactive action taken to resolve that vulnerability and stop 


possible attack. 
Keywords: VAPT Tools; System Security; Cyber Attack. 
1. Introduction 


A vulnerability is a weakness in the application which can be an implementation bug or a 
design flaw that allows an attacker to cause harm to the user of the application and get extra 
privilege. Vulnerability are the potential risk for the system. Attacker uses these vulnerability to 


exploit the system and get unauthorized access and information. Vulnerabilities are big flaw in 
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system security and Information assurance. A vulnerability free system can provide more 
Information Assurance and system security. Hackers were busy launching and trying their hands 
on different variants of cyber-attacks such as phishing, malware, distributed-denial-of-service 
(DDoS), denial-of-service (DoS), advanced persistent threat (APT), malicious social media 
messaging (MSMM), business email compromise (BEC), botnet, ransomware amongst many 
others [1-12]. In the case of the phishing attack, hackers used harmful links hidden in carefully 
designed emails to target company employees. Unfortunately, when employees click on such 
links, they ignorantly download keylogging software onto their computers or devices, giving 
hostile actors access to their credentials. Hackers can then gain unrestricted access to critical 


business assets and data of the victim’s organization by impersonating a genuine employee. 


Though it is almost impossible to have 100% vulnerability free system, but by removing 
as many vulnerabilities as possible, we can increase system security. The need of Vulnerability 
Assessment and Penetration Testing is usually underestimated till now. It is just consider as a 
formality activity and use by very less people [13-27]. By using regular and efficient 
Vulnerability Assessment, we can reduce substantial amount of risk to be attacked and have 
more secured systems. In this paper we describe Vulnerability Assessment and Penetration 
Testing as an important Cyber Attack Prevention Technology. By using VAPT as a Cyber 
Attack Prevention Technology we can remove vulnerabilities from our system and reduce 
possibility of cyber-attack. We explained various techniques of Vulnerability Assessment and 
Penetration Testing. We described complete life cycle of VAPT for proactive defence. This will 


also provide complete process how to use VAPT as a Cyber Attack Prevention technology. 


Much research have been done by researcher in past in Vulnerability Assessment. 
Computer vulnerability information shows important regularities and those can also be detected 
and possibly visualized [28-39]. The interdependency of multiple vulnerabilities and exploits in 
a single network and their effects. Web vulnerability scanner tool ’SecuBat’ developed by them. 


This analyses vulnerability interdependencies and possible attack path into a computer network. 


Vulnerability Assessment and Penetration Testing is a step by step process. Vulnerability 
assessment is the process of scanning the system or software or a network to find out the 
weakness and loophole in that. These loopholes can provide backdoor to attacker to attack the 


victim. A system may have access control vulnerability, Boundary condition vulnerability, Input 
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validation vulnerability, Authentication Vulnerabilities, Configuration Weakness Vulnerabilities, 


and Exception Handling Vulnerabilities etc. 


Penetration testing is the next step after vulnerability assessment. Penetration testing is to 
try to exploit the system in authorized manner to find out the possible exploits in the system. In 
penetration testing, the tester have authority to do penetration testing and he intently exploit the 
system and find out possible exploits [40-51]. Vulnerability Assessment and Penetration Testing 
is a total 9 step process. First of all tester have to decide the scope of the assignment 
(Black/grey/white box). After deciding the scope, the tester gets information about the operating 
system, network, and IP address in reconnaissance step. After this tester use various 
vulnerability assessment technique (explained further) on the testing object to find out 
vulnerabilities. Then tester analyses the founded vulnerability and make plan for penetration 
testing. Tester uses this plan to penetrate the victim’s system. After penetrating the system, tester 


increases the privilege in the system [52-54]. 


Vulnerability Penetration 
Assessment Testing 
* Non-intrusive * White box, * Black box 
* Wide focus gray box * Intrusive 
* Starting point for * Report on * Narrow focus 
testing security vulnerabilities * Advanced 
* Mix of interviews * Information security test 
and tools gathering * Report on 
* Use of exploits 
security tools * Heavy use of 
security tools 


Figure 1. Vulnerability Assessment & penetration testing (Source: Internet) 


In result analysis step, tester analyses the all results and devise recommendation to 
resolve the vulnerability from the system. All these activities are documented and sent to 
management to take suitable action. After these all step, the victim’s system and its program get 
affected and altered. In cleanup step we restore the system in previous state as it was before 


VAPT process was started. 
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2. Vulnerability Assessment Methods 


Static analysis - In this technique we do not execute any test case or exploit. We analyze 
the code structure and contents of the system. With this technique we can find out about all type 
of vulnerabilities. In this technique we do not exploit system, so there would be no bad effect of 
this testing on the system. One of the big disadvantage of this technique is that it is quite slow 


and require many men-hours to perform. 


Manual Testing - In this technique, we do not require any tool or any software to find out 
vulnerabilities. In this tester use his own knowledge and experience to find out the vulnerabilities 
in the system. This testing can be perform with prepared test plan (Systematic manual testing) or 
without any test plan (Exploratory manual testing). This technique costs cheaper compare to 
other techniques, because we do not need to buy any vulnerability assessment tool for this 


technique. 


Automated Testing - In automated testing technique we use automated vulnerability 
testing tools to find out vulnerabilities in the system. These tools execute all the test cases to find 
out vulnerabilities. This reduce the men-hours and time required to perform testing. Because of 
tool repeated testing can also be perform very easily. Automated testing provide better accuracy 
than what other techniques provide. It takes very less time and same test cases can be used for 
future operations. But tools increase cost of testing. A single tools is not capable to find out all 


type of vulnerabilities. So this increase the total cost to perform vulnerability assessment. 


Fuzz testing - This is also known as fuzzing. In this we inputs invalid or any Random 
Data into system and then look for crashes and failure. This is like robustness testing. This 
technique can be applied with very less human interaction. This technique can be used to find 


out zero day vulnerability. 


Black box testing - In this technique, the tester do not have any prior knowledge of the 
network architecture or systems of the testing network. Usually black box testing is perform 
from external network to internal network. Tester have to use his expertise and skills to perform 


this testing. 


Grey box testing - In this technique, the tester have some partial knowledge of the testing 


network. Tester do not have knowledge of complete network architecture, but he know some 
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basic information of testing network and system configuration. Actually Grey box testing is the 


combination of both the other techniques. This can be perform from internal or external network. 


White box testing - Tester have complete knowledge of the network configuration of the 
testing network and the system configuration of the testing network/system. Usually this testing 
is perform from the internal network. White box testing require deep understanding of the testing 


network or system and gives better results. 


Here, we will show how we can consider vulnerability analysis as a Cyber Attack 
Prevention technology. What usually attacker do is he reconnaissance the victim’s network and 
get information about victim’s network. After getting information, attacker perform vulnerability 


assessment on the victim’s network/system and get vulnerability list. 
3. Conclusions 


Now if the attacker would do vulnerability assessment of the victim’s system/network, he would 
not find any open vulnerability in the victim’s system/network. In absence of open 
vulnerabilities in the system, the attacker would not able to exploit victim’s system/network. So 
by using Vulnerability Assessment and Penetration Testing as a cyber- defence technology 
administrator can be able to save his resources and critical information and can achieve proactive 
Cyber Attack Prevention. In this paper we explained how Vulnerability Assessment and 
Penetration Testing can be used as an effective Cyber Attack Prevention technology. We 
described why VAPT should be made a compulsory activity for Cyber Attack Prevention . We 
explained complete life cycle of VAPT, prevalent VAPT techniques and top 15 vulnerability 


assessment tools. 
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